An anxious woman looking at her computer

What is RPO and RTO in disaster recovery?

Most modern businesses would list data as one of their top assets. The popularity of easy-to-implement cloud services and the availability of cost-effective recovery solutions make it almost criminal not to protect those assets by backing them up securely. This is even more important when you hear numbers being mentioned like 60% of businesses closing their doors within 1 year of a major failure leading to a loss of their data. An effective backup program could be the difference in recovering from an outage or breach in a matter of minutes, rather than weeks - if at all.

While we could talk all day about the importance of backing up, and of designing an effective Business Continuity and Disaster Recovery Plan (BCDR), right now we’re going to assume that you are already backing up your important stuff and we’re going to dive a little deeper into the terms RPO and RTO - and what they actually mean in the real world. We’ll start with a definition and explanation for each:

Recovery Point Objective (RPO) - A measure of how frequently you back up your data. This could be weekly, daily, hourly or every few minutes. Your RPO should reflect how regularly your essential data is changed. If you lost your data, how “fresh” do your backups need to be to cause the least disruption?

Recovery Time Objective (RTO) – The amount of downtime you can realistically tolerate. How long can you be without your data or service before the financial or reputational damage is too high?

In the simplest of terms, RPO is the frequency with which you backup your data and RTO is the length of time you can afford before you have to restore it. The two are independent but work together to form an essential partnership in your BCDR plan.
Ideally, you should aim to have short RPOs and RTOs. That way when something goes wrong you’ll lose as little data as possible while making sure that your business gets back up and running in a heartbeat.

Well, that’s easy then: "I’d like live backups of my data that can be restored in 10 minutes in the event of an emergency." Job done!

Well, in reality that probably isn’t going to be a feasible option to the majority of businesses out there. Backing up data requires storage, processing power, testing and all sorts of other actions that will ultimately affect the cost of backing up that data. Faster recovery options will also come at a bigger expense for similar reasons. So, how do you achieve the correct balance between RTO and RPO?

The first thing to remember is that not all data is created equal. Some data is used infrequently, hardly ever changes or holds little value to the business and can easily be put onto a monthly or weekly backup schedule. Think of policies and HR records. Other data and services, such as e-commerce payment transactions, could change frequently and may need to be backed up instantly if possible. Similarly, your RTO could be very different depending on the specific data or systems. This is usually determined by the way in which your business operates. For example, you may be able to handle a couple of hours without access to email whereas having your e-commerce website down for 15 minutes could severely affect your revenue for the day. Your RTO could also vary considerably depending on the time of day. Using our e-commerce website example, you may find that no-one even notices if the site is down in the early hours of the morning.

When determining RPO and RTO for disaster recovery purposes, we recommend capturing and understanding the disaster type or nature of any potential disasters in the first instance. Is it a loss of systems, applications, network, data or even your entire physical location in the event of a fire or flood?
Expand on each disaster type with sub-sections for specific applications, software, data stores etc. and give each of those an RTO and RPO. Once you’ve done that, you have everything you need to plot out an actual plan, with timeframes, to go about recovering your data or systems. For example, a loss of data in the company Share may have an RPO of every 4 hours and an RTO of 2 days. This means that in your risk assessment you’ve accepted a potential loss of up to 4 hours of data and in your BCDR plan, you have a maximum of 2 days to recover that data.

At ITbuilder we offer our customers a choice of backup options from the likes of N-Able (SolarWinds) and Veeam. If you hadn’t really thought of how you would recover your data and systems in the event of an emergency, we can help you build a business continuity plan too.

Jason Abrahamse

Jason is ITbuilder's security expert and leads our information security project team. He provides consultancy and support on matters relating to cyber-resilience and data protection.

Something of an industry veteran, Jason has held various roles in the industry and combines that expertise to consult with customers on security best practices.

Jason is a native of South Africa, but is now a fully naturalised Brit except for not being accustomed to the cold. He lives locally in Hertfordshire.

More articles from

Back to Blog